The Decline in Chinese Cyberattacks: The Story Behind the Numbers

The Obama administration has been touting a decrease in commercial espionage, but the reality for corporate America may be more complicated.

Last summer, an audience of government officials, military personnel, and foreign ambassadors gathered in Aspen, Colorado, to hear John Carlin, then an assistant attorney general, speak about cyberattacks. The Aspen Security Forum, which is held every year at a breathtaking resort in the Rocky Mountains, is the sort of event where national security wonks go for hikes in T-shirts and shorts, then trade war stories over lemon-raspberry water and superfood balls. The news of the Democratic National Committee hack had broken just the day before, and many hoped that Carlin, who headed up the investigation into the incident, might speak candidly about it. Instead, he recounted the Justice Department’s indictment of five hackers in China’s People’s Liberation Army Unit 61398 for commercial espionage—back in 2014 (see "Cyber-Espionage Nightmare").

A boyish Harvard-trained former prosecutor, Carlin oversaw the department’s efforts to stamp out economic espionage before stepping down earlier this month. In June, the cybersecurity firm FireEye released a report describing a significant decrease since early 2013 in the number of commercial attacks from China, which is the largest source of such attacks. The firm charted attacks on clients around the world by 72 groups that are either based in China or believed to represent Chinese state interests. Beginning in mid-2014, its analysts observed a “noticeable decline” in activity. Intelligence officials have quietly echoed that claim.

For some in the Obama administration, this is proof that using both carrots and sticks to combat Chinese theft of intellectual property—what Carlin called an “all-tools” approach—is working. Indictments and so-called “naming and shaming” have been accompanied by economic sanctions and diplomatic efforts, including a September 2015 agreement between President Obama and Xi Jinping to refrain from conducting or supporting cyber-theft of intellectual property. “This approach is a giant ‘No trespassing’ sign,” Carlin said. “It’s ‘Get off our lawn.’”

But others are not sure the U.S. government should get so much credit. The perceived decline in attacks from China raises a question: why? Former government officials and cybersecurity experts now offer up a range of theories—including a provocative one that questions the extent to which straight commercial cyber-espionage, as opposed to the more targeted spying on military technologies and capabilities that many nations engage in, was ever a priority of the Chinese central government in the first place.

There is little doubt that the Chinese government invests substantial energy in stealing everything from plans for U.S. fighter jets to the 22 million records kept by the Office of Personnel Management, or that it has done little to pursue commercial spies. But some of the more commercially focused attacks carried out by Unit 61398, this theory holds, may have been illusions, while others may never have had explicit backing from Beijing to begin with.

Skeptics abound

Five members of China’s People’s Liberation Army Unit 61398 were indicted by the U.S. Justice Department for commercial espionage in 2014.

In 2013, former FBI director Robert Mueller called for a broad effort to root out cyber-threats and seek the “warm body behind the keyboard.” Speaking at the Brookings Institution the day after the Unit 61398 indictment was unveiled, Carlin said that the bureau had succeeded in “putting a face” on that warm body—or rather, on five of them. The mug shots of these men, who went by monikers like KandyGoo and UglyGorilla, were splashed across posters that read: Wanted by the FBI.

The indictment marked a break with the standard diplomatic practice of not subjecting active military officials of other countries to criminal prosecution, and many in Washington greeted it with skepticism. Some doubted whether the charges would be actionable, while others pointed out that the Justice Department’s stance on commercial espionage—that collecting general economic intelligence is routine statecraft and therefore acceptable, while spying for the benefit of specific companies is not—is a distinction few other countries would recognize. Benjamin Wittes, a senior fellow at Brookings, even wondered whether the Justice Department’s move might be simply “a very sophisticated form of legal PR.”

Doubt continued in September 2015, after the announcement of the China-U.S. agreement. Some believed that Xi’s commitment to refrain from supporting commercial hacking was little more than lip service. Director of National Intelligence James Clapper told Defense News at the time, “I personally am somewhat of a skeptic.”

But as time went on, cybersecurity analysts noticed a curious change. For its recent report, FireEye started in February 2013, the month the threat intelligence firm Mandiant (now owned by FireEye) publicly tied Unit 61398 to a heavily guarded building in Shanghai. Over the years that followed, FireEye analysts logged assaults on clients in the U.S., Japan, and Europe. Attacks peaked at just over 70 per month in September 2013. By the beginning of September 2015, before Obama and Xi signed the agreement, they had slowed to 10 per month, making the accord look like a mere footnote in China’s about-face.

“All indications are that China had already adjusted their policy and approach, and that the agreement was something that was feasible to them because they had already changed direction,” says Daniel McWhorter, chief intelligence strategist and vice president at FireEye. The report is limited to the firm’s visibility and fuzzy on details like what files the attackers took, but in April NSA director Michael Rogers testified that hacking from China had declined. In a talk at the Aspen forum, meanwhile, CIA head John Brennan reiterated that the intelligence community was uncovering fewer attacks from China. In August, when FireEye announced that it would lay off roughly 10 percent of its staff, executives blamed the downturn in Chinese activity.

'Vacuum cleaner' espionage

The “Wanted” posters and the fanfare behind the Unit 61398 indictment reinforced the popular misconception, perpetuated by shows like Mr. Robot, that Chinese hackers are highly organized in their methods and tools. In fact, they were long known for being decentralized and sloppy. Cybersecurity experts once marveled at finding multiple Chinese hacker groups penetrating the same target, with seemingly little or no coördination. At times, such groups made elemental errors. In the 2013 report on Unit 61398, or APT1, that preceded the Justice Department’s indictment, Mandiant could attribute attacks to the Chinese People’s Liberation Army (PLA) in part because the hackers used the army’s hacking infrastructure, which is outside China’s Great Firewall, to access their personal Facebook and Twitter accounts.

Many now believe that such groups have simply cut back on some of the noise that made them easy to detect. At the same time, China has probably refined its focus “from ‘vacuum cleaner’ espionage to more precisely targeted intrusion and theft,” says Greg Austin, a professorial fellow with the EastWest Institute and the author of Cyber Policy in China. State-sponsored hackers used to suck up large amounts of data and then sift through it later, he says. That may have artificially inflated the number of commercial attacks, as hackers targeting dual-use technologies like solar panels swept up pricing information along with design specifications. A switch to more directed national-security-related espionage would mean a reduction in perceived commercial cyberattacks.

In some cases, meanwhile, the likes of UglyGorilla may have been working under the table, without the explicit permission of the central government. The Unit 61398 indictment, for example, alleges that one state-owned enterprise “hired” the unit to “build a ‘secret’ database to hold corporate ‘intelligence.’”

Former assistant attorney general John Carlin.

Those explanations would help solve a number of long-standing mysteries. While Beijing has long encouraged the acquisition of foreign technologies, and IP theft is rampant among Chinese companies, exactly how the state might actively facilitate theft by companies is unclear. The Chinese government has no major intelligence allies and a range of priorities in intelligence collection, including monitoring dissidents, staying abreast of the South China Sea controversy, and tracking activists in Tibet and Xinjiang. It is not known where commercial spying would rank among these priorities—and how the information pilfered in state-sponsored attacks might be systematically disseminated.

Despite close links between the Chinese government and the private sector, in many areas there is no obvious firm to receive commercial secrets. The Unit 61398 indictment, for example, charges that the defendants stole thousands of sensitive files from a U.S. subsidiary of the German company SolarWorld AV. The document implies that the hackers then passed the documents on to a Chinese company or companies exporting solar products to the United States. But some 400 firms fit that description, notes Austin.

The notion that the PLA, as opposed to another Chinese government entity, would have been the designated arbiter for civil-sector industrial espionage is puzzling on another level. The PLA once had its hands in an estimated 20,000 businesses, including everything from pharmaceutical companies to brothels. But since the late 1990s, the Chinese government has devoted considerable energy to reducing the army’s side projects—with the aim of getting military personnel thinking about operations rather than real estate deals. Since he came to power in 2012, Xi Jinping has been particularly firm about military moonlighting.

Xi has also launched an anticorruption drive that, while politically motivated, has revealed the extent of military graft. In January 2015, 16 senior military officers were placed under investigation for offenses that included selling senior positions and ranks to the highest bidder. Among those purged was Guo Boxiong, former vice chairman of the all-important Central Military Commission. So extreme is the anticorruption effort within the PLA that alcohol, a mainstay of official banquets, has been banned from military receptions in hope of warding off unsavory deals—like, say, the sale of hacked commercial secrets.

A tipping point

Against that backdrop, the Chinese commitment last September to refrain from commercial attacks appears less significant. “It’s not that China’s living up to the agreement because they’re living up to the agreement,” says James A. Lewis of the Center for Strategic and International Studies in Washington, D.C. “They’re living up to the agreement because they’re trying to modernize the PLA and reduce corruption.” While a decline in commercial hacking isn’t a significant loss for China as a whole, he adds, “it is a huge loss for individual companies and PLA units.”

Still, U.S. actions may have helped matters reach a tipping point for Chinese leaders, who may well have known about the under-the-table attacks and chosen to look the other way. Former Department of Homeland Security secretary Michael Chertoff, now chairman of the security consultancy Chertoff Group, told me at the Aspen forum, “It doesn’t strike me as unlikely that the word went back, ‘Guys, cool the hot-rodding. If there’s something worth stealing, do it, but do it in a way that’s not so obvious.’”

Regardless of the reason, the drop in apparent attacks should be celebrated, says Jason Healey, a scholar at Columbia University’s School for International and Public Affairs who studies cyber-conflict. Even if China has simply cut back on PLA moonlighting and refined its handling of cyber-espionage, its current approach is “much less escalatory than it was,” he says. “It’s more like the U.S. system: you coördinate, you figure out who is going in. Someone goes in, and you share the take. It’s more the way that a professional intelligence organization works.”

Ongoing talks now provide a chance to keep the pressure on. A bilateral working group formed in the wake of the 2015 agreement is meeting several times a year. “Every time we talk, we reiterate the importance of abiding by the cybersecurity commitment,” says Suzanne Spaulding, the Department of Homeland Security undersecretary who led a U.S. delegation to Beijing last June. “We make clear to our counterparts in every conversation that we are watching this carefully, and that there’s frankly not a lot of public confidence about this. They are aware that the jury is still out.”

Mara Hvistendahl is an Eric & Wendy Schmidt Fellow at New America and the author of Unnatural Selection: Choosing Boys Over Girls, and the Consequences of a World Full of Men. For eight years, she covered China for Science magazine and other publications.